kubernetes高可用架構
在之前的實驗中,kubernetes叢集都是一臺master和兩臺node組成的小叢集,在實際的生產環境中需要考慮到叢集的高可用。
在node節點實際已經實現了高可用,pod分佈在不同的節點上,當一個節點宕機的時候,其上的pod會漂移到正常的節點上。所以,重點的高可用重心就要放在master上。
官方的master節點高可用架構
圖中可以看出,使用者通過kubectl傳送命令經過LB進行負載均衡到後端的master上的apiserver,再由具體的某一個master進行向叢集內部的節點的轉發。
同理,節點也是通過LB進行負載均衡連線到master上的apiserver,去獲取到apiserver中配置的資訊。
其他高可用叢集架構
圖中可以看到,每一臺node上都部署了 nginx做負載均衡到master的apiserver,而kube-scheduler和controller-manager不需要做高可用,因為它們預設會通過選舉產生,可以通過下面的命令檢視:
實現過程
master節點擴充套件
將master節點擴充套件至2個,新增加的master的ip為:10.10.99.240
在原先的master上的server-csr.json
中增加新增額度master的ip:
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1" ,
"10.10.10.1",
"10.10.99.225",
"10.10.99.233",
"10.10.99.228",
"10.10.99.240",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa" ,
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Shenzhen",
"ST": "Guangzhou",
"O": "k8s",
"OU": "System"
}
]
}
重新生成server證書:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
cp -p server-key.pem server.pem /opt/kubernetes/ssl/
重啟apiserver:
systemctl restart kube-apiserver
將原先master上的/opt/kubernetes傳送到新的master節點上:
scp -r /opt/kubernetes/ root@10.10.99.240:/opt
從原先的master上拷貝服務的配置檔案到新的master上:
scp /usr/lib/systemd/system/{kube-apiserver,kube-scheduler,kube-controller-manager}.service root@10.10.99.240:/usr/lib/systemd/system/
修改新master節點上的kube-apiserver
配置檔案:
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://10.10.99.225:2379,https://10.10.99.228:2379,https://10.10.99.233:2379 \
--insecure-bind-address=127.0.0.1 \
--bind-address=10.10.99.240 \
--insecure-port=8080 \
--secure-port=6443 \
--advertise-address=10.10.99.240 \
--allow-privileged=true \
--service-cluster-ip-range=10.10.10.0/24 \
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/kubernetes/ssl/ca.pem \
--etcd-certfile=/opt/kubernetes/ssl/server.pem \
--etcd-keyfile=/opt/kubernetes/ssl/server-key.pem"
將advertise-address和bind-address改為本機的ip
啟動新master上的元件:
systemctl daemon-reload
systemctl start kube-apiserver.service
systemctl enable kube-apiserver.service
systemctl start kube-scheduler.service
systemctl enable kube-scheduler.service
systemctl start kube-controller-manager.service
systemctl enable kube-controller-manager.service
在新的master上使用kubectl檢視叢集中的節點:
echo PATH=$PATH:/opt/kubernetes/bin >> /etc/profile
source /etc/profile
kubectl get node
在新的master上安裝iptables並新增預設規則:
yum remove firewalld
yum install -y iptables iptables-services
systemctl start iptables
systemctl enable iptables
vim /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.1.0.0/20 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.10.0.0/12 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.1.0/24 -m udp -p udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.30.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.254.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
測試,之前在node節點上也裝了一個kubectl,在那個節點上修改 /root/.kube/config
中的server
欄位指向新的master,然後在這個節點測試命令kubectl get node
也是可以檢視到node資訊的。
node節點配置
首先在兩臺node節點上安裝nginx做4層負載均衡:
yum install -y nginx
將來node節點的kubelet和proxy將連線本地的nginx,然後nginx做負載均衡轉發到master上的apiserver
配置nginx:
vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
stream {
log_format main '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';
access_log /var/log/nginx/k8s-access.log main;
upstream k8s-apiserver {
server 10.10.99.225:6443;
server 10.10.99.240:6443;
}
server {
listen 127.0.0.1:6443;
proxy_pass k8s-apiserver;
}
}
在node節點上修改bootstrap.kubeconfig kubelet.kubeconfig kube-proxy.kubeconfig
中的apiserver地址為本地:
server: https://127.0.0.1:6443
在node節點上重啟服務:
systemctl restart kubelet.service
systemctl restart kube-proxy.service
在node節點上啟動nginx:
systemctl start nginx
systemctl enable nginx
檢視一下nginx日誌有沒有代理記錄:
tail /var/log/nginx/k8s-access.log